continual deployment with ansible... and managing SSH keys?

[Kevin Burton]

Right now I just manually SSH into a box in our cluster and run ansible.

But I want to automate this... Ideally I could just bump the version number in my code when I want it released... and 2 minutes later it would be staged, tested, and deployed.

But the issue is SSH auth.. many of my daemons need root.  I don't necessarily want to have keys just sitting there giving anyone full access to my cluster.  

[Michael DeHaan]

So a very good option for key management would be ansible tower - http://ansible.com/tower

Let Tower hold on to your key, and nobody will see it.  It will use ssh-agent behind the scenes (your key may be locked with a password or not) and only allow that key to be used for running Ansible playbooks.

(The key is saved encrypted in the database)

I'd also consider setting things up so something like an "ansible" user can sudo.  It isn't strictly required, but might help a little bit with tracking who does what.

(Tower also keeps good logs of this)

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/57b954e7-48a8-491a-8e64-7d7168c1b534%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kevin Burton]

The SSH issue is still an issue if I"m letting this daemon run as root on tower, because anyone can just inject code if they can break into this box... 

[Michael DeHaan]

Not really.

Any config tool does need to actually configure the box, however Tower has role based access control that you can use to restrict *WHO* can configure the box.

Further, you can also control access to your source control so only certain people should have access to your playbooks.

You can allow some users you don't trust to deploy into test/stage environments, and only allow ops team members you trust to deploy into prod.

And that exists with every single configuration tool on the planet -- needing to be able to configure the system -- and is not a SSH key specific kind of thing.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0b684ce8-dea1-4edc-b698-1cc07d0b8afe%40googlegroups.com.

[John Favorite]

i think he meant unauthorized access to the tower machine. Either way, thats a bigger issue.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgySEJWPPdNKU7%2BXp%2Be4MR_CBEJCAA9Umbb%2Bvb72k_Yisw%40mail.gmail.com.

[Michael DeHaan]

"i think he meant unauthorized access to the tower machine. Either way, thats a bigger issue. "

Yeah, it's not really possible to have unauthorized access to the Tower machine, unless you have a physical access problem.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAKsMCER2soB1Hp%3D5JG6v3cRDSheJmfoQGqzHhv_kThnOUwX%2BVA%40mail.gmail.com.

[John Favorite]

well lets hope for the best on the first :) but yeah, physical access = game over

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyBkXY2UOHHLK5dPT114PTJx1iPZVD_uaT-og7ONGOMHA%40mail.gmail.com.